> On 23 Apr 2024, at 16:51, Hubert W <hubert.wisniew...@gmail.com> wrote: > > Dear WG, > > > I woke up with one idea and I would like to challenge it. > In IPv6, every device receives a routable address. To protect endpoints > effectively, we require firewalls to filter unwanted traffic.
Apart from packet volume this is a false assertion. No device should require a firewall. > But what if we could stop such traffic at the source? Could this approach > convince more people toward adopting IPv6? > > According to RFC 7381: “In a /48 assignment, typical for a site, there are > then still 65,535 /64 blocks.” and “All user access networks should be a /64.” /64 is typical not required. > Can we use then bit 63 to convey a message: “I don’t want any incoming > traffic initiated towards me!!!”? Of course a response would be accepted. > > We could divide the /64 allocations into two groups: one for servers, and > these accept incoming traffic (bit 63 = 0): > > for example 2001:0db8:0000:0000::/64 > > And the second group: endpoints, these never accept incoming traffic (bit 63 > = 1): > > for example 2001:0db8:0000:0001::/64 > > We only need all systems to understand the message. If a router or firewall > sees such a packet, then drops it. > Every TCP packet with flag SYN, where destination address (IPv6) has bit 63 > equal 1, must be dropped. All the world is not TCP. Additionally for TCP the filtering device would need to track state and that implies symmetric routing. > Would it be theoretically possible? No. > Best regards > > Hubert Wisniewski > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > i...@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ 6lo mailing list 6lo@ietf.org https://www.ietf.org/mailman/listinfo/6lo
